The invention relates to a method and an arrangement for arranging data protection disclosed in the preambles of the independent claims.
In mobile communication systems, at least one part of a transmission path is comprised of a wireless section, whereby data transmission takes place via a radio path. A radio path is a physically open resource, which puts security at risk. Various solutions have been developed in digital mobile communication systems to arrange data protection, including ciphering methods and methods for identifying, i.e. authenticating, a user or a subscriber.
In mobile communications systems, a mobile network typically carries out subscriber authentication in order to make sure that only correct parties have an access right. For example, a mobile station in a digital GSM system comprises a subscriber identity module SIM application comprising means for authenticating the subscriber. The SIM application further uses a personal identity number PIN check, whereby only the person who knows the PIN code can use the SIM application. In authentication, the mobile station transmits to the GSM network identification information, and the SIM and thus also the subscriber are authenticated on the basis of this information. The SIM-comprises mobile-operator-specific information, including an SIM-specific international mobile subscriber identity IMSI of a mobile services subscriber. Typically, the SIM also comprises a temporary mobile subscriber identity TMSI within a location area, which can be used to avoid transferring the IMSI over a radio path.
A mobile switching centre MSC, which typically also comprises a visitor location register VLR, transmits an authentication request to an authentication centre AuC. The authentication centre AuC is typically located as a part of a home location register HLR of the subscriber. Subscriber authentication information and authentication algorithms are stored in the authentication centre. On the basis of the IMSI comprised in the authentication request, the authentication centre AuC selects a subscriber-specific authentication key Ki. In addition, a random-number generator generates a number of random-number parameters RAND, which, together with the key Ki, are used to provide each RAND parameter with a checking parameter SRES by applying authentication algorithm A3. The authentication centre AuC typically transmits these RAND/SRES parameters simultaneously with a calculated cipher key Kc to the visitor location register VLR to be stored.
When the VLR wishes to authenticate a subscriber, it selects a RAND value for the parameter from a RAND/SRES table corresponding to the present subscriber and transmits the RAND value to the mobile station and further to the SIM application. The SIM comprises the same authentication key Ki and authentication algorithm A3 as those used at the authentication centre AuC. The SIM calculates the SRES parameter, which is the authentication response, by means of the received RAND parameter and the key Ki by applying algorithm A3. The mobile station returns the SRES parameter to the visitor location register VLR. The VLR compares the SRES value transmitted by the mobile station with a stored SRES value, and if they are the same, the authentication has succeeded. In principle, the GSM network can request authentication at any stage when a mobile station is registered in the network. Authentication can be carried out particularly when a mobile station registers in a network.
Ciphering is used in many telecommunication systems to prevent data to be transmitted from becoming subject to unauthorised access. For example, it is possible in the GSM system to use ciphering of data transmission which is difficult to crack, whereby speech and data converted into digital form are ciphered at the mobile station to be transmitted over the radio path. Similarly, received ciphered data in the GSM network is deciphered into plain speech and data. In connection with the present application, ciphering can refer either to ciphering or deciphering of traffic. Ciphering and user authentication utilise cipher keys and ciphering algorithms accessible to the particular transmission and reception equipment only.
When in the GSM system the mobile switching centre MSC/VLR has authenticated the user, ciphering of the traffic to be transmitted can be initiated. The cipher key Kc is calculated in connection with authentication by means of the secret key Ki and the random number RAND by applying algorithm A8 both at the authentication centre AuC and the SIM. Algorithms A3 and A8 are typically implemented such that both the SRES parameter and the cipher key Kc are calculated simultaneously. In the authentication parameters the authentication centre transmits the cipher key Kc with the RAND and SRES parameters to the visitor location register VLR, whereby these three parameters form a “triplet”. The cipher key Kc is stored in the visitor location register VLR. The visitor location register VLR transmits the random number RAND to the SIM application for authentication and cipher key calculation. The SIM calculates the cipher key Kc typically in connection with calculating the SRES parameter on the basis of the RAND parameter and the secret key Ki by applying algorithm A8: Consequently, calculating the cipher key Kc is a part of the GSM authentication. The cipher key Kc is stored in the SIM application. According to the GSM standard, the Kc is 64 bits at most.
When the mobile switching centre MSC/VLR commands ciphering to be initiated, the cipher key Kc is transmitted from the visitor location register VLR to a base station. Furthermore, a command is transmitted to the mobile station, which starts using the Kc calculated at the SIM. The GSM network selects the ciphering algorithm on the basis of the identifier of the ciphering algorithm comprised in a “classmark” identifier transmitted by the mobile station. The base station and the mobile station carry out traffic ciphering and deciphering, depending on the direction of the traffic, by means of the cipher key Kc and the number of the traffic frame by applying algorithm A5. The GSM System for Mobile Communications by M. Mouly and M. Pautet, Palaiseau, France, 1992, ISBN: 2-9507190-0-7, for example, discloses a more detailed description of the GSM system.
Third generation mobile communication systems have been developed throughout the world. 3rd generation partnership project 3GPP standardizes a third generation mobile communication system which is based on the GSM system and called a universal mobile telecommunications systems UMTS, which comprises a new radio interface, for example. The UMTS radio interface will be based on the wideband code division multiple access WCDMA technique. The GSM core network will be utilised in the UMTS system, whereby connection management and mobility management will mainly remain the same. The UMTS system will provide circuit-switched services and packet-switched services. The packet-switched services will probably be based on the general packet radio service GPRS in the GSM.
An essential requirement in the UMTS system is the handover requirement between the GSM and the UMTS. In connection with the present application, handover refers to changing a radio traffic connection and radio traffic responsibility from a source system to a target system without the data transfer connection provided for a user service being substantially disconnected. In the GSM/UMTS handover, the connection is thus handed over from the UMTS system to the GSM system, or vice versa. In the GSM/UMTS handover, the connection provided for the user remains similarly uninterrupted to one in the existing internal handover in the GSM system. This enables the UMTS system to be rapidly introduced since particularly in the beginning, the GSM system with its extensive coverage area can be used as backup. For this purpose, it is probable that devices called dual-mode mobile stations supporting both the GSM system and the UMTS system will appear on the market.
In the UMTS standardization work, it is likely that a solution with mainly similar principles to the GSM procedures will be selected as far as the security architecture is concerned. In such a case, as high compatibility with the GSM architecture as possible can be achieved. Both the UMTS network and a user service identity module USIM application of the SIM identity application kind in the GSM comprise a secret key which is required for carrying out authentication. Changes will primarily relate to key lengths and algorithms used; document TR S3.03 version 0.1.2 “3G Security: Security Architecture” in the 3GPP discusses security requirements in the UMTS system. Particularly the cipher key to be used will probably be longer than in the GSM system.
In order to support the GSM system, a UMTS IC card UICC comprising the USIM application may also comprise the SIM application of the GSM system. The UMTS system further requires that services may be provided to mobile stations with only a smart card comprising a GSM identity SIM application. Furthermore, at the early stage the GSM/UMTS core network may be the same, so the core network of the UMTS system can also support authentication and ciphering according to the GSM system as well.
In the GSM system, in a handover situation, ciphering parameters used in handover between mobile switching centres, such as the cipher key, are transmitted from the source network to the target network. Hence, when a connection is handed over from the GSM network to the UMTS network, the cipher key Kc according to the GSM can be used while the traffic remains ciphered all the time. It is naturally required that the UMTS network supports the ciphering according to the GSM system. It is also possible to carry out authentication according to the UMTS system and start using a UMTS cipher key after handover.
When the mobile station is in the UMTS network, a cipher key according to the UMTS system is available for its use. When handover from the UMTS system to the GSM system is carried out, the problem is the ciphering since a base station sub-system BSS according to the GSM system is not necessarily able to carry out the ciphering by the UMTS parameters. Consequently, the UMTS cipher key cannot be used as such after handover, according to the GSM principles. According to the prior art, when a change to the GSM system takes place, authentication according to the GSM system can be carried out after handover. In such a case, GSM ciphering can be initiated only after the cipher key Kc has been calculated. This, however, is time-consuming, and some of the traffic will be transferred over the GSM radio interface unciphered.